AVOIDING INFORMATION SECURITY ANTIPATHY

18 Oct 2014 by Curtis

The recent Heartbleed SSL security bug made its way through almost every media outlet in the world. It made internet infrastructuralists (is that a good word?) realize an important component of the web wasn't getting enough attention. Now, a few months later, SSL has had more "eyeballs" on it, and there have been additional security issues discovered. The updates and patches have been flowing steadily.

At this point, many IT workers are well on their way to suffering some kind of "SSL fatigue." But this fatigue, perhaps even antipathy, has been growing in and around information security for quite some time, and includes more than just SSL bugs.

What I mean by "antipathy"

First, I want to be careful to define what I mean when I say "antipathy." I don't mean that people have chosen not to care, but rather that they are, due to being overwhelmed, unable to. Not actively choosing but unable. Not incompetent but unable. Not unwilling but unable. These are important distinctions.

The word antipathy certainly has negative connotations. I chose it consciously, but not for it's negativity. What I would like it to mean in the context of this post is a psychological condition in which one just doesn't care about information security any more, and, what's more, is annoyed by people who do (people like me *cough*).

Information technology is hard

IT is hard. It's hard to get things working, keep them working, and make changes to them...let alone have time to think with a security mindset. 451 Research recently posted a digram showing a hierarchy of IT needs and if you agree with their concept it's easy to see why a reasonable level of security is difficult to obtain.

My thesis is that IT workers at all levels are sick and tired of hearing about information security issues. So much so that they are suffering from a form of alarm fatigue which is now, if it wasn't already, a growing antipathy towards information security professionals. It doesn't help that the risks associated with security issues often don't directly affect a single person, instead larger groups of unseen users.

At this point in many work environments, even mentioning a security issue leads to comments like "tinfoil hat," "grumpy old men," "paranoid," "curmudgeonly" and worse (believe me, I've heard much worse).

Where to go from here?

In this post I just wanted to introduce my thoughts on IT's alarm fatigue and how antipathy towards information security, as I define it, is growing. I hope in future posts to talk more about potential solutions.

If there is anything to be taken from this post it's that while information security professionals have a bad reputation for being pedantic, paranoid, saying "no," and just generally getting in the way of everyone's work (describing myself here) they are still people and deserve empathy, like all of us do.